topic Re: HP-UX Account is disabled upon password expiry in Operating System - HP-UX

HP-UX Account is disabled upon password expiry

Wan Yue Gong — Sun, 04 Jul 2004 21:07:33 GMT

Hi all,

Can I check with you:

- how can I confirm that my HP-UX B.11.00 U 9000/800 has been converted to Trusted System?

My company has such a security policy:
- to force password change upon password reset by administrator
- to change password on the next 90th day upon password update
- to warn password expiry 5 days before the password expires
- not to allow password change initiated by user within 7 days once the password is updated by user
- disable id which is inactive for >90days

password aging policy has been set as such in SAM:
- Time between password changes (days): 7
- Password expiration time (days): 90
- Password expiration warning time (days): 5
- Password life time (days): 90

My questions are:
- is the above being set correctly in SAM according to the policy?
- users are complaining that they don't get password expiry warning message from system, why is this so?
- users also complained that ids are being locked by system after 90 days upon password change, even if the id is active, why is this so?

Appreciate your assistance. Thanks in advance!

wanyue
wanyue.gong@aig.com

Re: HP-UX Account is disabled upon password expiry

Michael Tully — Sun, 04 Jul 2004 21:25:12 GMT

Running /usr/lbin/getprpw will tell you if your system is in trusted mode.

There are two sets up rules, one being system wide and those set in each users account. If they have not been changed at a user's level then the global rules would apply. Check the affected user accounts to see if anything has been set there.

Re: HP-UX Account is disabled upon password expiry

Wan Yue Gong — Sun, 04 Jul 2004 21:35:59 GMT

Thanks Mike.

When I run the command /usr/lbin/getprpw -r , I get this reply:

# /usr/lbin/getprpw -r
110, NO, 288, 1, -1, -1, -1, -1, Mon Apr 5 09:52:50 2004
, Mon Apr 5 09:51:55 2004
, -1, 90, -1, DFT, DFT, DFT, DFT, -1, DFT, DFT, -1, Tue Jun 29 15:57:33 2004
, Mon Jul 5 08:23:56 2004
, pts/t1, 1, pts/tl, -1, NO, 1000000

- how do I interprete the lines above?
- password aging criteria is set as such for the user:

PS 040504 7 90 5
90 000000

- do you see anything wrong with it (as compared to the company policy outlined in my 1st question)?

Thanks...

wanyue
wanyue.gong@aig.com

Re: HP-UX Account is disabled upon password expiry

Con O'Kelly — Sun, 04 Jul 2004 22:52:36 GMT

Hi Wanyue

You can use the following command to show what system wide defaults are in place:
# /usr/lbin/getprdef -p

The /usr/lbin/getprpw command shows settings for individual users.

To answer your last question, the getprpw output seems to suggest that the there is no expiry set for user as evidenced by the "-1" flag.
It appears that you have missed the actual variables in the output. Output should be in form:
# /usr/lbin/getprpw
uid=110, bootpw=NO, audid=31, audflg=1, mintm=-1, maxpwln=-1, exptm=-1, lftm=-1, spwchg=Wed Sep 10 15:12:23 2003........

Cheers
Con

Re: HP-UX Account is disabled upon password expiry

Wan Yue Gong — Sun, 04 Jul 2004 23:12:22 GMT

Thanks Con.

If the global setting is updated, what will happen to the existing user accounts? Will the policy be changed accordingly?

If not possible, how can I apply a script to change the current user account settings to follow the global setting?

rgds,
wanyue

Re: HP-UX Account is disabled upon password expiry

Con O'Kelly — Sun, 04 Jul 2004 23:33:22 GMT

Hi

Changing the global setting will not affect current users.

To change the current settings for a user you need to look at using the /usr/lbin/modprpw command or else SAM.

For example:
# /usr/lbin/modprpw -m exptm=90,expwarn=5,mintm=7

This will set password expiration at 90 days, minimum time between password changes to 7 days and warn users to change password 5 days prior to expiration.

Look at the man pages for modprpw which I have attached.
You need to be very careful using this from command line. Ensure that you don't expire users accounts when setting the 'exptm' value.

Cheers
Con

Re: HP-UX Account is disabled upon password expiry

Fred.Wu — Sun, 04 Jul 2004 23:46:34 GMT

/usr/lbin/getprpw can see if trust system.
or, you can check if /tcb exist, if yes, it should be a trust system.

To disable trust, run
/etc/tsconvert -r

Re: HP-UX Account is disabled upon password expiry

Con O'Kelly — Mon, 05 Jul 2004 00:07:22 GMT

Hi again

After using the modprpw command in my previous post, you can use:
# /usr/lbin/modprpw -l -v

This will reset the users last password change to the curent day/time so that their account will not be expired if for example their last password change was > 90 days.

Cheers
Con